Passwords: To be or knOt2$B3? Take the Quiz!

Do you think passwords are still important? Do you ever worry about your passwords? We’ve been kicking around computer and information security for a while now. Why don’t we have a better answer?

Personally, I have gotten a little tired of password articles and blogs. I started “logging on” in about 1976, and I kind of thought we had said pretty much everything there was to say about passwords by now. Then, I recently spoke with some people born in the 1990s and 2000s, and it seemed like they tried their best to make my brain spring through the top of my skull. From these people in their teens and 20s I heard things like, “I just use the same password for everything,” and “I’m just a student, hackers don’t want my stuff.”

As a professional security geek, my reaction was more or less “you’re kidding, right?” But it should really not be a surprise when we look at some of the recent statistics about password use. This includes analysis of compromised passwords that shows that the most commonly used passwords are things like “123456” and “password”. Or droves of surveys done over the past six or seven years which keep saying that 55-70% of people (depending on the exact survey and year) use the same password across multiple accounts. Or similar studies that say 70-80% of passwords being used online are classified as “weak”, which often means a password that is less than eight lower-case characters, or are simple dictionary words like “iloveyou”, “monkey”, “dragon”, or “ninja”.

We all know passwords are not a great solution for securing our accounts and information. But, it is what we have right now, so we might as well make the best of them, eh?

Curious on how strong your passwords are? For some empirical checking, you might try one of these sites (in general, of course, I will advise against entering your actual password):

Hopefully, using them is an eye opening experience, and not a humbling one. As a point of reference, I tested a password with a construction similar to what I use to log on to my personal machine on these two sites. HowSecureIsMyPassword, says it would take 71 quadrillion years for a desktop PC to crack the password, and askthegeek shows it as “Very Strong” with a score of 100%. But those measure the technical part of the password.

Considering all of this input, I thought it was time for a 90 second quiz (probably less than that, so relax). Unfortunately, this is a text-based article so I cannot use a quiz tool that will accumulate your score for you, but, trust me, the scoring is really straight forward (You will know immediately if it goes south on you). The only real catch is that the quiz (and scoring) is not based on some password standard, but is based on my own personal criteria. I will assert that over 38 years of computer use, and 29 years of experience in the security world gives me that right.

Points

Question

_____

+1 – If your passwords are at least eight characters.

_____

+5 – If your passwords are at least 10 characters.

_____

+1 – If you use both lower-case and upper-case in your passwords.

_____

+2 – If you include numbers in your passwords.

_____

+3 – If you include special characters (like [email protected]#$%*) in your passwords.

-1 – If you include any numbers of special characters only at the end of your password.

_____

-3 – If your password mystery relies on substituting numbers for letters (it is simply not that tr1cky or 3L1T3).

_____

-5 – If you include keyboard sequences in your password (like "qwerty" or "mnbvcxz" or "123456789").

_____

-20 – If you include any form of the word "password" in your password (like "password" or "pwd" or "pass").

_____

-10 – If you repeat any letter of number more than two times (like "aaaa" or "666").

_____

-15 – If your password includes any part of your name, username, any month or has anything at all to do with the site associated with the password (like having your Facebook password as “fbletmein” and your email password as “emailletmein”).

_____

-50 – If you use the same password on social media, email and private sites (like shopping and banking sites).

_____

-10 – If you have shared your personal passwords with anyone.

_____

-20 – If you keep passwords in email or in a plain text, unencrypted file.

_____

Total Score

Score

Description

Less than -50

Um. I’m not even sure why you pretend you are using passwords.

-50 to 0

Please reconsider your password habits – they are probably giving you a false sense of security.

0 to +15

In general, your password practices are not unreasonable. Check the quiz again to see how much more paranoid you are willing to get.

If you paid any attention to the scoring, you may have noticed a couple things. The positive numbers are all small, and include all of the technical parts of password construction. With a couple small exceptions, the negative numbers are more related to password usage. The technical side is the easy part – make a strong password. If any part of this is hard, it is the usage – use your password(s) wisely. It’s not like, as an industry, we consistently do either part well. But we have to do the two parts together. A strong password, used foolishly, is probably not going to help us much. At the same time, a poor password, used well, will, at best, make us think we are more secure than we really are.

Passwords are not the keys to our systems and information. At least they should not be. The purpose of a password is to help separate the wheat from the chaff, and to slow down attackers. We create good passwords, and then use them wisely for two reasons:

1. To help slow down access to our stuff, not stop it.

2. We don’t have an answer that is better than “passwords,” yet.

And, one last question for the quiz. If you have ever emailed your password to anyone you get to subtract another 200 points from your score.

Jon-Louis Heimerl is Director of Strategic Security for Omaha-based Solutionary, Inc., a provider of managed security solutions, compliance and security measurement, and security consulting services. Mr. Heimerl has over 25 years of experience in security and security programs, and his background includes everything from writing device drivers in assembler to running a world-wide network operation center for the US Government. Mr. Heimerl has also performed commercial consulting for a variety of industries, including many Fortune 500 clients. Mr. Heimerl's consulting experience includes security assessments, security awareness training, policy development, physical intrusion tests and social engineering exercises.